Support forums : You can sense the bug

there's something wrong in password land

Not like "it smells funny when I click that". This is for bugs that don't show an error but something just doesn't seem right or ends up doing something you think is wrong. It doesn't show you an error but you know something ain't right.

Moderator: Dracones

there's something wrong in password land

Postby EdB » Sun Aug 29, 2010 6:24 am

I wrote a little plugin that lets a commenter register and subscribe right then and there. BASICALLY it puts 2 checkboxes for posts and comments, and 2 fields for a password twice. Visitor submits and - assuming the name isn't already a login and it is a valid email and both passwords match - they get registered and subscribed. And they get the "validate me" email. It all works except for one thing: the new user can never ever validate.

Testing was done by commenting from a different browser with a different name and email addy.

Anyway here's the rub: copy/pasting the link into a new tab in the browser I used to register then entering in my new password tells me it is the wrong password. Hard to be wrong when you use qwertyuiop then try again from another browser with asdfghjkl then try again from another browser with zxcvbnm but sure enough all three got bounced from validating. I then used one of the browsers to register the old fashioned way and it worked. So I guess it's in my plugin but it gets worse.

Using my admin login I reset the password on the accounts that couldn't validate. To something really simple: I copied then pasted a word in a note right above the password input fields, then pasted the same over to the other browser. STILL these new users could not login until I manually validated the accounts.

I lifted the registration routine straight from register.php including the sending of emails stuff so I'm having a hard time seeing how that could be the problem with these accounts not validating, but when I login as admin and give these accounts a new password and still can't login there's something wrong in password land.

You can maybe see it happen yourself by commenting and "register+subscribe" at http://wonderwinds.com/index.php/2010/08/24/fuck-you if you want. Dunno how long I'll keep registration open but for a while anyway. The plugin needs 'new users can register' and 'users can subscribe' else it turns itself off is the thing.
EdB
Dracone
User avatar
 
Posts: 2072
Joined: Sun Nov 22, 2009 7:20 am
Location: Maricopa Arizona

Re: there's something wrong in password land

Postby EdB » Sun Aug 29, 2010 6:42 am

Yeah there's something seriously wrong around here. I logged out of my admin account then tried to log back in. No deal. So I told it I forgot my password and got the email and clicked the link and got in to my user profile page. I then set my password to what it always has been and saved it. I then logged out and could not log in again.

Clearing session and domain cookies had no apparent effect.

Edit Problem solved by undoing the salted password thing. Dunno why that caused these problems but it did. Can't say that I ever logged out or registered on a blog before tonight so I dunno what the deal is. Anyway it's only 4 files and a couple of lines each so maybe tomorrow I'll be able to get more detailed on exactly what makes what do what. Kinda got my eye on the change to the check_password function, but not at this hour. For now though it's solved on my domain and if I can't make it work with salt then I'm going to have to go with no-salt :(
EdB
Dracone
User avatar
 
Posts: 2072
Joined: Sun Nov 22, 2009 7:20 am
Location: Maricopa Arizona

Re: there's something wrong in password land

Postby Tblue » Fri Sep 03, 2010 2:30 pm

Good, it's probably my fault. It can very well be that I overlooked something when implementing the salted passwords stuff; I will look at it this weekend.
Tblue
Dracone
 
Posts: 340
Joined: Sat Nov 21, 2009 1:35 pm
Location: Berlin, Germany

Re: there's something wrong in password land

Postby EdB » Fri Sep 03, 2010 5:22 pm

Oh good because there's no way I can figure it out.

The thing I had that was most symptomatic was if user A tries to set the password for user B via the admin interface. MAYBE a workable solution there is to have a button in admin to reset another user's password? Make it available only to "group 1 level 10" or only to "user 1", and such that it takes a few clicks to actually do to really avoid accidentals. Something like a whole new page with a little "close me" icon that then asks for the new password twice which then triggers like it does on file deletion where you have to click on the page again "yes do as I command"?

That way the admin clicks to access the interface, types in the password twice, clicks to submit the change, clicks to verify the change. And the software uses the actual login name instead of the current_User->login?

The other thing about my plugin not working at all is just freaky. It borrows the register process directly from the register page although it does away with hooks, so maybe that's where it went wrong?
EdB
Dracone
User avatar
 
Posts: 2072
Joined: Sun Nov 22, 2009 7:20 am
Location: Maricopa Arizona

Re: there's something wrong in password land

Postby Tblue » Sat Sep 04, 2010 4:24 pm

Okay, I tried to reproduce your problems.

I first created a new user (e. g. via public registration), received a mail and successfully activated the account via the link included in it. I was able to login using the password I chose during account creation.
Then I requested a new password, just for fun -- changing the password worked and I could use it to login.

I also tried changing my password using the admin account. That worked, too (login possible).

Well, looks like I cannot really reproduce your problem. This was using revision 7546.
Tblue
Dracone
 
Posts: 340
Joined: Sat Nov 21, 2009 1:35 pm
Location: Berlin, Germany

Re: there's something wrong in password land

Postby EdB » Mon Sep 06, 2010 7:52 pm

hm! Went through the same process and also could not reproduce the problem, but twice now I've had problems with passwords on different installations. No worries. I'll stick to a salt-free diet and eventually have a healthy corpse :)
EdB
Dracone
User avatar
 
Posts: 2072
Joined: Sun Nov 22, 2009 7:20 am
Location: Maricopa Arizona

Re: there's something wrong in password land

Postby Tblue » Mon Sep 06, 2010 7:55 pm

Okay. Weird stuff. :)
Tblue
Dracone
 
Posts: 340
Joined: Sat Nov 21, 2009 1:35 pm
Location: Berlin, Germany

Re: there's something wrong in password land

Postby EdB » Tue Sep 07, 2010 12:13 am

yeah the worst kind of troubles: "intermittent" which really means the steps leading up to the experience are not clearly documented, which means impossible to reproduce. Eventually I reckon I'll come across it again but it takes playing with and an eye on encouraging being locked out. And for me it takes "core as-is" which I went away from after the second episode. A client locked out on a real actual live installation. Too bad I can't recall *why* he got locked out in the first place that caused me to try to reset the password via the admin page. He registered a second time so I approved that (said it was validated) and he now uses that account even though logging in to his first still works.

Hey. hmm... now I forgot what I just thought of.
EdB
Dracone
User avatar
 
Posts: 2072
Joined: Sun Nov 22, 2009 7:20 am
Location: Maricopa Arizona


Return to You can sense the bug

Who is online

Users browsing this forum: No registered users and 1 guest

cron